Unfortunately, Nikto added options to evade an Intrusion Detection System (IDS). I think it is unfortunate because this tool should not be used to test an IDS. Nikto was designed to quickly find known vulnerable software. Most of the CGIs it looks for are very old and do not always try to exploit vulnerability. Some tests check only whether the filename of a page is the same as known vulnerable software (/cgi-bin/ mail.pl, for example). This does not mean the CGI installed is vulnerable to any- thing, and a request to such a script is legitimate.
The default traffic generated by Nikto can easily be flagged by an IDS since each HTTP request contains “Nikto/1.35” in the user-agent header. With one signature,
an IDS would detect all the tests. The evasion options do not necessarily make it harder for the IDS to detect something.
To add an evasion technique, use the option–evasion followed by steps 1–9:
1. URL encoding. The URL is encoded. Today’s high-end IDS can manage encoded URLs without a problem. This evasion technique does not make any difference to a sophisticated IDS.
2. Add/./in front of each URL. With the same URL decoding feature used for the previous evasion technique, the IDS easily restores the original URL. Since this is a known evasion technique, this technique would probably be detected by most IDSes, making it less than useless.
3. Premature URL ending. Nikto actually adds random folders followed by/../. For example, instead of requesting/icons, Nikto requests/foo/bar/../../icons, which is functionally the exact same thing. As in evasion 2, not only can the IDS under- stand the canonical URL just like the web server, it also detects the/../as a direc- tory traversal, a well-known technique.
4. Append random long strings. Same technique as before, but with much longer strings and the same results.
5. Fake parameters. Add unnecessary parameters (/uri/?foo=bar). This does not make any difference to a decent IDS.
6. Tab as request spacer. Use a tab instead of a space to separate the different ele- ments of the URL. Once again, this does not bother a decent IDS.
7. Case-insensitivity. Change random characters to uppercase. Windows servers do not care about case-insensitivity, so the test would be valid in this instance. But for most other systems that are case-sensitive (e.g., *nix), the new URLs created do not make sense. For example, /cgi-bin/mail.pl is different from /cgi-BIn/ mAIl.Pl for Apache on Linux. This evasion technique should be used very carefully.
8. Use \ as folder separation. This is the same case as above. Using \instead of /
may be fine with IIS on Windows, but it is not for *nix:the new URL would not make sense.
You may argue that Internet Explorer allows you to use indifferently/
or\in a URL regardless of the web server, but it actually translates\to
/ when it does the request.
9. Session splicing. This is the only interesting evasion technique, even if it is quite old. It is basically Nikto + fragroute (http://monkey.org/~dugsong/fragroute/). Nikto generates one byte data packets. It is a good way to easily test how an IDS handles heavily fragmented traffic without the hassle of installingfragrouter.
Nikto should be used to detect vulnerable applications that should not have been installed on a network. But it should not be used to test the coverage of an IDS, even if the addition of evasion techniques suggest that it has been designed for this. By the same token, Nessus also contains checks for vulnerable CGIs, but not as many as Nikto.
3.3
WebInspect
WebInspect 7.0 is a proprietary web scanner from SPI Dynamics. A license for one target IP address is about $4,500. It is available on Windows only.
Version 7 requires Windows XP or higher, with .NET 2.0 and SQL
Server Express. If you get the error Cannot alter the login ''sa'',
because it does not exist or you do not have permissionwhile install-
ing SQL Server express, refer to http://support.microsoft.com/
?kbid=917827 for a workaround.
If you have not previously installed .NET 2.0, you are required to log out of Windows twice:once after the installation of the .NET package and once after the first start up of WebInspect.
Purpose
Like Nikto, this scanner does check for some known vulnerabilities, but it also does much more. WebInspect first crawls the web site to figure out its structure, all the files available, the parameters used in the URL, and the web forms. It uses this infor- mation to create traffic derived from both known vulnerabilities and generic vector attacks (SQL injection, cross-site scripting, command injection) for your web application.
WebInspect is a great tool to test the robustness of a web application. It was used to find cross-site scripting in Tikiwiki (an open source wiki), code execution in Oracle Web server 10g, and information disclosure in IBM WebSphere. It can also be used to test web services.
WebInspect Scan
A wizard drives you through the main options to start a new scan:
URL
If the web site is not on the standard port 80, you need to include the port num- ber in the URL—for example,http://www.mydomain.net:88/.
Restrict to folder
Assessment method
By default, the web site is crawled and audited at the same tine, so you get results early. You can select “Prompt for web form values during scan.” During the first scan, every time WebInspect finds a form, it prompts you for the values to enter. These values are stored and used automatically for future scans. This is especially useful if you use a web form for authentication and you want to give WebInspect access to the private content of your web site.
Settings
See the section “Settings Tuning” later in this chapter for the scan settings.
Select a Policy
See the section “Policy Tuning” later in this chapter for more details about pre- defined and custom policies. To get the detailed list of checks enabled in a pol- icy, click on Create after selecting the policy to view.
Network Authentication
WebInspect handles four types of identification:HTTP Basic, NTLM, Digest, and Kerberos. It can automatically detect what type of authentication is used on the web site. Enter a login and password to be used. If your authentication is done through a web form, select “Prompt for web form values during scan” on the first screen, as explained previously in the description for the Assessment method.
Auto-fill web forms
You can change the default values such as zip code, email address, and so on used in the web forms, and add more of them.
Network Proxy
You can specify an optional proxy server to use. WebInspect includes its own Proxy. See the section “WebInspect Tools” later in this chapter for more details. You do not need to fill out all these options. You can click on Finish at any time to run a scan with the default option (standard policy, not network authentication, no external proxy, and so on).
If the target is on your local network but also has a public IP address on the Internet and uses virtual host, you may have problems scan- ning it with a 1-IP address license from SPI. For example, the local IP address of the targethttp://domain.net/is 192.168.1.50, and its public IP address is 212.212.212.212. You would have a license for 192.168.1.50. But if you ask WebInspect to scanhttp://domain.net/, it may be resolved as 212.212.212.212 by your DNS server. To bypass
this, edit the host file c:\Windows\system32\drivers\etc\hostsand add
the following line:
192.168.1.50 domain.net www.domain.net
This file is checked first by Windows when it needs to resolve a